ECSAs call for clarity on the application of SCA obligations to payments

The European Credit Sector Associations (ECSAs) consider eIDAS 2.0 a very significant initiative and we welcome the opportunities that the EUDIW can bring to our sector and beyond.Although the proposal is in its final phase, we would like to reiterate our concern on the persistent lack of a clear indication on whether the strong customer authentication (SCA) obligations apply to payments or not and in case SCA for payments are in scope, that it is limited to ecommerce / online / remote situations.

The provision in question is recital 31 and as it stands, it is open to interpretation. Strong customer authentication is already a part of the Revised
Payment Services Directive (PSD2) Framework and includes different steps: an identification of a customer, an authentication, and the authorization of the payment, with different implementations depending on the various types of payment (card-based, account based, eCommerce, etc.). Currently, SCA is conducted based on the PSD2 framework and the corresponding infrastructure.We consider that mandatory acceptance of an EIDAS 2.0’s SCA for payments should be out of scope as their inclusion would mean disproportionate costs for EUIDW solutions to include all the needed specifications for the financial sector and all sectors accepting e.g., card payments, to put the necessary infrastructure in place. Leaving acceptance on a voluntary basis, will drive investments and developments to where there is a clear market demand.
If there is no clear indication whether payment SCA’s are mandatory, this could lead to confusion in the payments ecosystem, legal uncertainty, and delays, while banks risk making substantial changes to the current infrastructure and the respective networks with multiple stakeholders, when it may not be an obligation.

This vacuum could potentially provide an opportunity for large technology platforms to exploit the EUDIW to reinforce entrenched positions. While originally conceived as an EU tool to strengthen EU sovereignty, the unintended consequence of the eID wallet might be the opposite of its intended goal.If payments are considered in scope, then we would strongly recommend to indicate that the obligation only applies to online and e-commerce. There must also be a reference for the eID wallet to meet the necessary industry specific requirements. This can also be done in a Commission Implementing Act.

Without a clear orientation, the development of EU banking standards within or for the ARF (EUDIW) is also at risk.In view of the implementation of the Regulation, the ECSAs therefore urge the co-legislators and the European Commission to consider this issue and take the necessary steps to provide clear guidance